Certain vulnerabilities have recently been repaired, some are still in the process of stabilization, and many others are likely to exist but have not yet been found.
Details of this critical vulnerability in Instagram were made public on the internet today, which could - as we mentioned above - to allow a remote attacker to restore it password for any Instagram account and take full control.
Η "Password reset" or "password recovery" is a feature that allows users to retrieve access to their account on a website in case they forget their password.
In fact, in Instagram, users receive a six-digit secret password (which expires after 10 minutes) on the mobile number or on email account to prove their identity.
This means that one of the millions of combinations can unlock any Instagram account using brute force attack… but it's not as simple as it sounds, as Instagram has rate-limiting to prevent such attacks.
However, Laxman found that the rate limiting can be bypassed by sending brute force requests from different addresses IP sending simultaneous requests for concurrent processing of multiple attempts.
Parallel sending of requests and the IP rotation allow circumvention of the security measure. The end time of 10 minutes is the key of the constraint mechanism.
«In a real attack scenario, the attacker needs 5000 IP to hurts an account ... it sounds great, but this is really easy if you use a service provider in cloud like her Amazon or Google. It will cost about 150 dollars to perform the full attack through a million codes"Said the researcher.
Laxman also released one proof-of-concept exploit for vulnerability, which has now been corrected by Instagram, and the company redeemed it with $ 30,000 as part of the bounty bug program.
To protect your accounts from many types of attacks on the internet, but also reduce your chances of becoming victims hacking when malicious users are directly attacking vulnerable applications, it is strongly recommended to turn it on two-factor authentication, which could prevent hackers from accessing your accounts.